The Entertainment Software Ratings Board (ESRB) applied for approval of proposed modifications to its COPPA safe harbor program. The FTC’s COPPA Rule requires, among other things, that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13. The FTC’s COPPA Rule includes a “safe harbor” provision that allows industry groups and others to ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with an FTC-approved safe harbor program are exempt from agency enforcement action under the Rule.

Earlier this year, the FTC sought comment on ESRB’s proposed changes to its COPPA safe harbor guidelines. For example, ESRB proposed changes to its definition of “personal information and data” in light of recently issued Commission guidance about collection of audio recordings.

The FTC received five comments from individuals and consumer advocates. For example, the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy jointly recommended changes to ESRB’s proposal. Among their recommendations was that ESRB retain language from the existing program that defines street-level geolocation information as personal information and data, and include language that would make it a requirement – instead of a suggestion – to limit collection of “personal information and data.” Another commenter, the Electronic Privacy Information Center, called for other changes, including asking that the Commission reject a proposed change that would narrow ESRB’s definition of “child/children” to only U.S. residents. The revised guidelines approved by the Commission include a number of changes to address issues identified by commenters.

Buckling up in the car is a precaution parents take to protect themselves and their children. When it comes to the Children’s Online Privacy Protection Act, navigating the rules of the COPPA Road helps protect your business and the kids who visit your website or use your online service. Most companies are familiar with COPPA’s mandate to get parental consent up front before collecting personal information from children under 13. But there’s another requirement farther down the COPPA Road that some businesses may not know about.

Remember that public service announcement: “It’s 8:00. Do you know where your children are?” Technology has given parents tools for answering that question. But under the Children’s Online Privacy Protection Rule, online services touted as ways to keep kids connected need to comply with key parental notice and consent provisions of COPPA – especially when they’re collecting children’s geolocation. That’s the message of two warning letters just sent by FTC staff.

The staff of the Federal Trade Commission sent letters to two foreign companies that market electronic devices and apps that appear to collect geolocation data from children, warning that the companies may be in violation of the Children’s Online Privacy Protection Act (COPPA) Rule.

The letters were sent to China-based Gator Group Co., Ltd., and Sweden-based Tinitell, Inc., which both provide online services. Gator Group advertises an app and a device called the Kids GPS Gator Watch, which it markets as a “child’s first cell phone.” Tinitell has also marketed an app that works with a mobile phone worn like a watch, which is also designed for children. Although Tinitell has stopped selling the devices, they will continue to operate through September 2018. Copies of the letters were also sent to the Apple App Store and the Google Play Store, which make the apps available to consumers in their stores.

The FTC’s COPPA Rule requires companies collecting personal information from children under the age of 13 to post clear privacy policies and to notify parents and get their consent before collecting, using or sharing personal information from a child.

In its letters to the two companies, the FTC noted that even though they are based outside the United States, foreign companies are required to comply with COPPA when their services are directed to children in the United States or they knowingly collect information from U.S.-based children.

The online services offered by both companies appear to be directed to children and to collect precise geolocation information from children. The letters note that a review of both companies’ services reveal that they do not appear to provide direct notice of their collection practices and do not seek verifiable parental consent before collecting, using or disclosing personal information as required by COPPA.

The letters encourage the companies to review their online services, policies and procedures to ensure they are in compliance with COPPA.

The Federal Trade Commission is seeking public comment on proposals to modify a video game industry self-regulatory program that the FTC approved in 2001 under the agency’s Children’s Online Privacy Protection Rule.

The changes are being sought by the Entertainment Software Ratings Board (ESRB) and would modify the organization’s COPPA safe harbor program, which is aimed at ensuring compliance with FTC regulations and guidance related to the Children’s Online Privacy Protection Act (COPPA).

The FTC’s COPPA Rule requires, among other things, that operators of commercial websites and online services directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under 13, must post comprehensive privacy policies on their sites, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13.

The FTC’s COPPA Rule includes a “safe harbor” provision designed to encourage increased industry self-regulation in this area. Under this provision, industry groups and others may ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with the FTC-approved guidelines receive safe harbor from agency enforcement action under the Rule.

In a notice to be published in the Federal Register shortly, the FTC is seeking comment on modifications proposed by ESRB to its COPPA safe harbor program. Among the proposed modifications, ESRB seeks to amend the definition of “personal information and data” to track the additional COPPA Rule guidance the FTC released in October 2017 related to audio recordings. Other proposed modifications include the elimination of a requirement that new participants in ESRB’s safe harbor program complete an initial self-assessment questionnaire before joining.

Those seeking to comment should follow the directions in the Federal Register notice and will have 30 days to comment until May 9, 2018.

NOTE: Publication of this Federal Register notice does not indicate Commission approval of the proposed modifications to ESRB’s safe harbor program.

The Federal Trade Commission will host a Twitter chat to discuss the 20th anniversary of the passage of the Children’s Online Privacy Protection Act (COPPA). Acting FTC Chairman Maureen K. Ohlhausen will discuss the FTC’s work to enforce COPPA and ensure the FTC’s rule implementing the law stays in step with evolving technologies and data collection practices.

WHAT:

The FTC will host a Twitter chat to answer questions related to the 20th anniversary of the passage of COPPA.

Movie legend has it that screen siren Lana Turner was discovered as a teen at Schwab’s Drugstore. The millions of people who signed up for online talent search network Explore Talent were also looking to break into the business.

A web-based talent search company has agreed to pay $235,000 in civil penalties to settle Federal Trade Commission charges that it failed to obtain parental consent before collecting personal information from children, and that it misled consumers about the benefits of its premium paid services.

The FTC’s complaint against Nevada-based Prime Sites, Inc. alleges that the company – doing business as Explore Talent – violated the Children’s Online Privacy Protection Act (COPPA) by collecting and disclosing children’s personal information without obtaining parental consent and by failing to detail to parents and the public its collection, use, and disclosure practices. The complaint also alleges that the company violated the FTC Act by baselessly representing to prospective purchasers of its premium services that casting directors either had interest in them or had specifically chosen them for upcoming roles.

“Explore Talent collected the personal information of more than 100,000 children, but failed to adhere to the safeguards required by law,” said Acting FTC Chairman Maureen K. Ohlhausen. “Today’s settlement provides strong relief for consumers and will help ensure children are protected going forward.”

Explore Talent has marketed itself to aspiring actors, models, and other artists as a way to search for information about upcoming auditions, casting calls, and other professional opportunities. According to the complaint, the site required users, including children under age 13, to submit personal information such as their names, email addresses, telephone numbers and mailing address in order to create a free account or a premium, paid account. The company included some of this information in user profiles that were publicly available and searchable on the company’s website.

COPPA requires that companies collecting information online about children under 13 follow a number of steps to ensure that the children’s information is protected, including clearly disclosing directly to parents how the information is used and seeking verifiable parental consent before collecting any information from a child.

Between 2014 and 2016, ExploreTalent.com had more than 100,000 members who registered as under age 13, according to the FTC complaint.

According to the complaint, the company falsely stated in its privacy policy that it does not knowingly collect personal information from children under age 13 and that accounts for such children needed to be created by a legal guardian. However, the site did not place any restrictions on users who indicated they were under age 13 and did not take steps to verify whether a profile was being created by a legal guardian.

The FTC also alleges that Explore Talent misrepresented the benefits of upgrading to a “pro membership,” which cost $39.95 a month. While the site offered accounts for free, only its pro members could apply for potential job opportunities available on the site.

To sell users on signing up for a pro membership, the company’s telemarketers falsely claimed that casting directors for particular movies were interested in casting the users in an upcoming role, according to the complaint. One user reported that a telemarketer said the casting director for a sequel of the movie “Jack Reacher” wanted the user to audition for a paid speaking role in the film – but only if the user signed up for a pro membership first. However, when the user contacted the casting director, the user was told that the film was not working with Explore Talent, and in fact, all the speaking roles in the movie had already been cast.

As part of its settlement, the defendant has agreed to a $500,000 civil penalty, which will be suspended upon payment of $235,000. In addition, the company is required to comply with COPPA requirements in the future and to delete the information it previously collected from children.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 2-0. The Department of Justice, on behalf of the FTC, filed the complaint and stipulated final orderin the U.S. District Court for the District of Nevada.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

We can’t guarantee its effectiveness in getting kids to eat their vegetables or finish their homework. But there’s one circumstance in which a Mom or Dad’s “Because I said so . . . .” is the law of the land. When it comes to the online collection of personal information from kids under 13, the Children’s Online Privacy Protection Rule (COPPA) puts parents in charge.

Note: A conference call for media with Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection, will occur as follows: Date: January 8, 2018Time: 1 p.m. ETCall-in info: (800) 230-1093; Confirmation Number: 442576Call-in lines, which are for media only, will open 15 minutes prior to the start of the call. FTC staff will be available to take questions from the media.

In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleges that the Kid Connect app used with some of VTech’s electronic toys collected the personal information of hundreds of thousands of children, and that the company failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under the Children’s Online Privacy Protection Act (COPPA). In its first children’s privacy case involving Internet-connected toys, the FTC also alleges that VTech failed to use reasonable and appropriate data security measures to protect personal information it collected.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”

COPPA requires that companies collecting personal information from children under 13 online follow steps to ensure that children’s information is protected, including clearly disclosing to parents the information it collects, how the information will be used, and seeking verifiable parental consent. Companies also must take reasonable measures to protect the confidentiality, security and integrity of the personal information they collect about children.

According to the complaint against VTech, the company collected personal information from parents on its Learning Lodge Navigator online platform, where the Kid Connect app was available for download, and also through a now-defunct web-based gaming and chat platform called Planet VTech. Before using Kid Connect or Planet VTech, parents were required to register and provide personal information including their name, email address as well as their children’s name, date of birth and gender. VTech also collected personal information from children when they used the Kid Connect app.

As of November 2015, about 2.25 million parents had registered and created accounts with Learning Lodge for nearly 3 million children. This included about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the United States created Planet VTech accounts for 130,000 children by November 2015.

With respect to Kid Connect, VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children.

At the same time, the complaint alleges that the company did not take reasonable steps to protect the information it collected through Kid Connect, such as implementing adequate safeguards and security measures to protect transmitted and stored information and implementing an intrusion prevention or detection system to alert the company of an unauthorized intrusion of its network. In November 2015, VTech was informed by a journalist that a hacker accessed its computer network and personal information about consumers including children who used its Kid Connect app.

The FTC also alleges that VTech violated the FTC Act by falsely stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted. The company, however, did not encrypt any of this information.

In addition to the monetary settlement, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.

The FTC collaborated with the Office of the Privacy Commissioner of Canada, which is releasing its own Report of Findings. To facilitate cooperation with its Canadian partner, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 2-0. The complaint and stipulated final order was filed in the U.S. District Court for the Northern District of Illinois.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.